(core): cdk diff fails with Need to perform AWS calls for account XXX, but the current credentials are for YYY #28690
Comments
SamuraiPrinciple
added
bug
|
If you deploy from account A to account B, generally you will need:
Please provide minimal code snippet/sample that reproduces this issue so we can investigate. |
pahud
added
p2
response-requested
|
Hi @pahud - thanks for the reply. I'm still in the process of providing isolated repro, but just a couple of details:
|
github-actions
bot
removed
the
response-requested
|
Below is the self-contained CDK app that demonstrates the issue: #!/usr/bin/env node
import * as cdk from 'aws-cdk-lib';
import {
Duration,
Stack,
StackProps,
aws_cloudwatch as cloudwatch,
aws_route53 as route53,
} from 'aws-cdk-lib';
import { Construct } from 'constructs';
class ReproStack extends Stack {
constructor(scope: Construct, id: string, props: StackProps) {
super(scope, id, props);
Array.from({ length: 55 }, (_, i) => `${i}.com`).forEach(
(domainName, i) =>
new cloudwatch.Alarm(this, `CloudwatchAlarm-${i}`, {
actionsEnabled: true,
alarmDescription: `${domainName} not healthy`,
evaluationPeriods: 1,
threshold: 1.0,
datapointsToAlarm: 1,
comparisonOperator: cloudwatch.ComparisonOperator.LESS_THAN_THRESHOLD,
metric: new cloudwatch.Metric({
namespace: 'AWS/Route53',
metricName: 'HealthCheckStatus',
period: Duration.minutes(1),
statistic: 'Minimum',
dimensionsMap: {
HealthCheckId: new route53.CfnHealthCheck(this, `Route53HealthCheck-${i}`, {
healthCheckConfig: {
type: 'HTTPS_STR_MATCH',
fullyQualifiedDomainName: domainName,
resourcePath: '/api/info/healthz',
searchString: 'pass (',
},
healthCheckTags: [{ key: 'Name', value: domainName }],
}).ref,
},
}),
})
);
}
}
const app = new cdk.App();
new ReproStack(app, 'Repro', {
env: { account: 'YYYYY', region: 'us-east-1' },
});The AWS account XXXXX is used to run the app, and the resources are provisioned in AWS account YYYYY (bootstrapping is done as you suggested). After running If I try and increase the value of Decreasing |
|
One additional comment - we have a few different stacks/constructs behaving in this way, so I don't think it's related to the kind of resources being provisioned, just their number. |
|
The same behaviour is being observed while executing The setup includes bootstrapping org accounts using a stack set hence the toolkit stack would have the name similar to StackSet-CDKToolkit-xxxxx While diff is executing, it is trying to check for the stack with name CDKToolkit which fails. The deployment works fine, however. |
|
Unfortunately I was not able to reproduce it. Can you try You should see this indicating account A is assuming the lookup-role from account B and it should work. |
pahud
added
the
response-requested
|
Will do - any chance you could try with larger value of |
|
Also, not sure if clear from the previous comments, but passing |
Also, could you please confirm your CDK version and/or command line args you use to run |
|
It looks like the diff proceeds, the messaging is just unnecessarily scary. We will tone down the error messaging |
|
@SamuraiPrinciple Your issue title and description imply the command fails. However the output log you've posted implies that the command is working, it's just falling back to the previous behavior (not using a change set) and printing an understandably scary message. Can you confirm which is the case? |
|
The diff is indeed computed, but with that (error?) message being shown. |
Thanks for the confirmation. So the unfortunate message aside, nothing is actually broken on your end? |
|
Correct. If this is indeed expected behaviour, feel free to close the issue. |
Thank you. We are going to address the messaging and look into it further. I wanted to make sure this receives the right priority. For example if the command would have failed completely, we would have reverted or released a hot fix. Definitely keeping this open for further investigation. |
github-actions
bot
removed
the
response-requested
|
I believe I have some insight here. We are experiencing the same issue, but we only get the error when the stack in question is larger than 50KiB, so I believe the issue is that the code which uploads the template to S3 is not respecting the need to assume a role in the target account. As the diff could not create a change set, it then bases the diff on template differences, which is not desirable. I would therefore consider this a bug, rather than just an issue with messaging. |
|
Here is the error we get, with trace debug on, if that helps. |
|
@pahud @mrgrain - as @scarytom mentioned, this behavior appears to be a bug in the diff being able to properly assume the trust role required to download/upload the diff to the metadata directory in the target account and so the CDK is falling back to doing a diff with disk cache locally or the like; this is breaking behavior in an automated environment where CDKPipelines has a single deployment pipeline account that uses a trust role to deploy resources to each target account in the pipeline. I've just upgraded our pipelines to If I locally assume the creds of my pipelines account to run a diff AS the pipelines account against a target account locally on my machine (something I do all the time) using the verbose command, the diff is failing to assume the trust role in the target account and gives the same error message as above but the diff succeeds using disk cache. If I then run a deploy to the target account of some change, again from my local machine AS the pipelines account, using those same creds, it succeeds (like it did before), but then if I let the change roll through my CDKPipeline in CodeBuild, the pipeline build is not detecting the changes that I deployed locally (AS the pipelines account) because the metadata in the target account from my previous deploy is not getting updated due to this failure. Previously, in To summarize:
Because the last one fails, even if I can run a successful deploy locally, the next time a deploy rolls through the pipeline, the metadata hasn't reflected my local deployment and the pipeline tries to duplicate the changes. This is blocking for us and I've rolled our infra pkg back to the previous rev but this appears to be the behavior I'm seeing. |
|
@cslogan-red I'm wondering if something else is in play here, or perhaps I'm just not fully understanding your workflow. The output of diff has no bearing on the deployment. The commands are not at all coupled. Even if the change0set version of diff fails, the original diff still runs. Do you have additional logic that first does diff and then only does deploy if there are changes present and are seeing different outputs of diff depending on the environment? Also, by There's been quite a lot of changes since |
Yep. If you are specifically wanting the change-set diff and it's failing, even with the fall back to classic diff succeeding, definitely a bug. And I think it's likely your correct on your assessment of what's going on here. |
|
@TheRealAmazonKendra thank you for responding, I was in these trenches for AWS Amplify so I know what it's like from your side. More that the diff & deploy locally when using a trust The short version is that it appears to be a bug when two levels of IAM role hierarchy are assumed...my pipelines accounts have trusts to their target deployment accounts (1 level of role assume via CDK), and I am able to assume the creds of any of my pipelines accounts locally, so as the pipelines account, run a diff & deploy against a target account manually from my machine (2nd level of role assume via CDK) and this worked w/o error on the earlier CDK version. Then, in my CDKPipeline pipelines, any stage that was already deployed to manually (like to dev, manually smoke test or a canary) AS one of the pipelines accounts would result in a no-op once the deploy reached that stage as the templates were the same. I am seeing an error once I let my release roll through my pipelines where envs that I manually diffed & deployed to locally (AS the pipelines trust account) on this latest release are attempting to redeploy the changes I've already deployed and so the CF stack fails because resources already exist (it's trying to apply the change set that I've already deployed locally as the same pipelines account, the prev CDK rev did not have this issue) My infra repo packages the CDK diff & deploy commands into separate NPM commands (to apply a linter and minification but the final command is just a I'll take another look tomorrow to see if I can see anything else, but I know that if I do the same thing in my dev env with the manual diff & deploy locally as the pipelines account, that I can repro this failure message, and the resulting pipeline CloudFormation stack failure when the pipeline tries to roll the current state of the codebase through the already deployed env. |
|
@TheRealAmazonKendra so I can confirm reverting back to If all I do is revert my primary CDK infra repo back to Below is my config for my diff & deploy commands that I run locally: And what runs in the CDKPipelines build container: The lookup param is just a flag to grab dynamic env config from SSM and the minify script just minifies the output JSON templates. Lmk if you see something obvious with the commands that would result in this behavior? I've been running this setup in these pipelines for over a year w/o issue and it's common for an engineer to diff & deploy something locally AS the pipelines account for testing and then release the change via a release branch once safe, and any already deployed envs result in no-ops because the diffs show the templates have no changes. |
|
@TheRealAmazonKendra @pahud attempted to update to the latest CDK version and lib today and this is still fundamentally different due to the changes introduced in v119 in this commit 10ed194, where v118 and previous versions work as expected. This is really easy to reproduce:
If you repeat the above steps but start with a clean install of anything after 
If you then deploy this change locally, it will still succeed (w/o the error), but the same scenario of then letting it roll through a CDKPipeline will not see the changes you've deployed locally and CloudFormation will attempt to duplicate the changeset you've already deployed locally. I haven't had time to dig into the commit that created this behavior to submit a PR w/ the fix, for now I'm just leaving my infra at |
Describe the bug
When running
cdk diffon a project with stack that belong to multiple AWS accounts (bootstrapped so that a IAM role is assumed by CDK), the following error is reported:This only happens since version 119 (120 is affected too).
Running
cdk deployfor the same stack works correctly.Expected Behavior
cdk diffshould work correctly as beforeCurrent Behavior
cdk difffailsReproduction Steps
will try and provide an isolated example later, but this only happens for two stacks (out of ~10 identical ones across different accounts).
Possible Solution
No response
Additional Information/Context
No response
CDK CLI Version
2.120.0 (build 58b90c4)
Framework Version
No response
Node.js Version
v20.10.0
OS
Linux
Language
TypeScript
Language Version
No response
Other information
No response
The text was updated successfully, but these errors were encountered: